Introduction to the scanning phase
Great, we have seen how to use SpiderFoot to gather public information on our target.
Now, we are going to start the scanning phase.
The scanning phase, also called active reconnaissance, consists of interacting directly with our target to try to retrieve technical information using different tools.
In this course, we will mainly focus on two essential tools.
The first tool is Nmap (Network Mapper), which is the most widely used scanner in the penetration testing and ethical hacking industry.
Nmap will allow us to discover open ports and identify the network protocols used by the server or servers you are testing (whether TCP or UDP protocols, and specific services like HTTP, SSH, FTP, SMTP, etc.).
Thanks to Nmap, you will also be able to identify the precise version of each service running.
For example, if you scan a web server, you can discover the exact version of the HTTPD service used, then check if this version has known vulnerabilities or if there is a public exploit for it.
All of this is possible with Nmap.
Nmap will also allow you to detect the operating system used by the target machine (whether Windows, macOS, or Linux with the exact distribution).
It is an extremely flexible, powerful, and feature-rich tool that we will study in detail in the next lesson.
The second tool we are going to study is Nessus.
Unlike Nmap, Nessus is not open source; it is developed by the company Tenable.
We will see how to download and install it.
Nessus is an automated vulnerability scanner.
You just need to give it the IP address of the target server or network, and Nessus will launch a thorough analysis to detect security weaknesses.
At the end, it generates a detailed report listing all the vulnerabilities found, classified by severity level, and proposes precise recommendations to fix these flaws.
Each tool has its strengths and weaknesses, and we will use them in a complementary manner to gather as much information as possible.
However, be very careful when you launch scans on a client's server or network.
Scanning consists of sending many packets and analyzing the received responses.
This generates significant network traffic and can sometimes saturate or disrupt fragile or poorly configured infrastructures.
An aggressive Nmap scan or a poorly configured Nessus analysis can go as far as crashing a service or bringing down an entire network.
This can prove catastrophic on a production network if your client cannot afford service interruptions.
As a pentester, you are always responsible for the tools you execute.
I therefore recommend that you always double-check the Rules of Engagement established at the beginning of the penetration testing.
Never launch scans at random: be careful, proceed strategically, and move forward methodically.
In the next lessons, we will discover Nmap and Nessus in practice.